Even pros struggle with Oracle security

An Oracle executive says the company's upcoming grid computing products won't increase customers' security headaches, but it became obvious during a panel discussion at OracleWorld that users are still troubled by today's unsolved security scourges.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Inc., has an Oracle security problem that is painfully familiar to users and executives alike.

No one -- not the expert authors he has consulted, nor Oracle Corp.'s chief security officer, Mary Ann Davidson -- has been able to provide him with a simple way to shut down the countless public privilege grants that are posing vulnerabilities to his system.

"Most of the vulnerabilities that the programmers are complaining about have to do with the grants," Willis-Ford told Davidson during an OracleWorld panel discussion of general security issues and Oracle-specific security efforts.

"Even for an experienced DBA, negotiating that maze would be tough."

Willis-Ford stumped the panel of security experts assembled for a technical session at this week's OracleWorld conference. It's not that Oracle's Davidson didn't have a response to his complaint, she said. However, she didn't have an immediate solution to his problem.

Davidson told the crowd of developers, DBAs and project planners that there is an "unconscionable number of grants to the public" available through Oracle. "I know this is a real problem, and I apologize for that," Davidson said. "It's not a great answer, but I'm committed to fixing it."

The 60-minute session offered practical tips for avoiding security trouble, as well as assessments of trends in security threats and responses. Davidson was joined by John Pescatore, a research analyst for Gartner Inc., and Aaron Newman, co-founder and chief technology officer at New York-based Application Security Inc.

In many cases, such as the one presented by Willis-Ford, there are no easy answers to security questions. In many others, the panelists said, there are simple steps that Oracle users can take to avoid disaster.

For example, Davidson urged users not to ignore security basics, such as boundary checks. "If you check 20 out of 21 boundaries, and you miss one of them," you're headed for trouble, she said.

"You say the enemy of security is complexity," Davidson said. "I would say the enemy of security is also manual processes."

Grid computing, Davidson said, does not pose a greater security risk to users than prior architectures do. This has been a major worry among many users at the conference. "In certain respects, the security issues don't change," she said.

There is more concern than ever before about security at the database and application server level, Newman said. The first thing for DBAs and developers to know is that they should not rely on their firewalls as a last line of defense.

"Perimeter security is not your last line of defense," Newman said. "You need to go deeper than that. We need to start concentrating on securing the database at its source."

With OracleWorld coinciding with the two-year anniversary of the September 11 attacks, many users were looking for opinions about the vulnerability of computer systems to terrorist threats.

In general, the panelists agreed that the focus should remain on developers, many of whom are making mistakes and leaving their systems vulnerable to attacks.

Gartner's Pescatore also told attendees to boycott products from vendors that use the possibility of a terrorist attack to hawk their wares.

"Instead of counting attacks," Pescatore said, "users should be asking themselves when they last scanned for vulnerabilities and determining how many of those vulnerabilities can affect them."

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy